CS 395T Game-Based Verification of Contract Signing Protocols

Alternating Transition Systems uGame variant of Kripke structures R. Alur, T. Henzinger, O. Kupferman. “Alternating- time temporal logic”. FOCS uStart by defining state space of the protocol  is a set of propositions  is a set of players Q is a set of states Q 0  Q is a set of initial states  : Q  2  maps each state to the set of propositions that are true in the state uSo far, this is very similar to Mur 

Transition Function u  : Q   2 2 Q maps a state and a player to a nonempty set of choices, where each choice is a set of possible next states When the system is in state q, each player chooses a set Q a  (q,a) The next state is the intersection of choices made by all players  a   (q,a) The transition function must be defined in such a way that the intersection contains a unique state uInformally, a player chooses a set of possible next states, then his opponents choose one of them

Example: Two-Player ATS  = {Alice, Bob}  p   q  p  q p   q p  q A’s choices B’s choices

Example: Computing Next State  = {Alice, Bob}  p   q  p  q p   q p  q If A chooses this set… … B can choose either state Next state Next state

Alternating-Time Temporal Logic uPropositions p   u  or  1  2 where ,  1,  2 are ATL formulas u  A   ,  A   ,  A  1 U  2 where A  is a set of players, ,  1,  2 are ATL formulas These formulas express the ability of coalition A to achieve a certain outcome , , U are standard temporal operators (similar to what we saw in PCTL) uDefine  A    as  A  true U 

Strategies in ATL uA strategy for a player a  is a mapping f a :Q +  2 Q such that for all prefixes  Q* and all states q  Q, f a (  q)  (q,a) For each player, strategy maps any sequence of states to a set of possible next states uInformally, the strategy tells the player in each state what to do next Note that the player cannot choose the next state. He can only choose a set of possible next states, and opponents will choose one of them as the next state.

Temporal ATL Formulas (I) u  A    iff there exists a set F a of strategies, one for each player in A, such that for all future executions  out(q,F a )  holds in first state [1] Here out(q,F a ) is the set of all future executions assuming the players follow the strategies prescribed by F a, i.e., =q 0 q 1 q 2 …  out(q,F a ) if q 0 =q and  i q i+1   a  A f a ( [0,i]) uInformally,  A    holds if coalition A has a strategy such that  always holds in the next state

Temporal ATL Formulas (II) u  A    iff there exists a set F a of strategies, one for each player in A, such that for all future executions  out(q,F a )  holds in all states Informally,  A    holds if coalition A has a strategy such that  holds in every execution state u  A    iff there exists a set F a of strategies, one for each player in A, such that for all future executions  out(q,F a )  eventually holds in some state Informally,  A    holds if coalition A has a strategy such that  is true at some point in every execution

Protocol Description Language uGuarded command language Very similar to PRISM input language (proposed by the same people) uEach action described as [] guard  command guard is a boolean predicate over state variables command is an update predicate, same as in PRISM Simple example: []SigM1B   SendM2   StopB -> SendMrB1’:=true;

Fairness in ATL  B,Com   (contract A  A h   contract B ) Bob in collaboration with communication channels does not have a strategy to reach a state in which Bob has Alice’s signature but honest Alice does not have a strategy to reach a state in which Alice has Bob’s signature

Timeliness + Fairness in ATL  A h   (stop A  (  contract B  B,Com   contract A )) in which she can stop the protocol and Honest Alice always has a strategy to reach a state if she does not have Bob’s signature then Bob does not have a strategy to obtain Alice’s signature even if he controls communication channels

Abuse-Freeness in ATL  A   (proveToC   A   contract B   A   (aborted   B h   contract A )) she has a strategy to obtain Bob’s signature AND Alice doesn’t have a strategy to reach state in which she can prove to Charlie that a strategy to abort the protocol, i.e., reach a state where Alice has received abort token and Bob doesn’t have a strategy to obtain Alice’s signature

Modeling TTP and Communication uTrusted third party is impartial This is modeled by defining a unique TTP strategy TTP has no choice: in every state, the next action is uniquely determined by its sole strategy uCan model protocol under different assumptions about communication channels Unreliable: infinite delay possible, order not guaranteed –Add “idle” action to the channel state machine Resilient: finite delays, order not guaranteed –Add “idle” action + special constraints to ensure that every message is eventually delivered (rule out infinite delay) Operational: immediate transmission

MOCHA Model Checker uModel checker specifically designed for verifying alternating transition systems System behavior specified as guarded commands –Essentially the same as PRISM input, except that transitions are nondeterministic (as in in Mur  ), not probabilistic Property specified as ATL formula uSlang scripting language Makes writing protocol specifications easier uTry online implementation!